I'm glad to hear you're up and running again. Note that LE frowns extremely hard at the way we hardcode the intermediates and have told us that this will break again eventually.
So keep this in the back of your mind. rob Giulio Casella wrote: > Thank you Rob, I was already tweaking with new letsencrypt certificates, > but to make it work I had to manually add two of them (r10 and r11) to > /etc/ipa/ca.crt (simply paste, then restart httpd). I did this trick > only on first server, on the other two a simple setup-le.sh (newer > patched version, including latest certs) did the magic. > > Back on business! > > Thank you again. > > On 25/07/2024 21:12, Rob Crittenden via FreeIPA-users wrote: >> Giulio Casella via FreeIPA-users wrote: >>> Hi, >>> I'm having trouble after this morning update: I had a setup (based on >>> RHEL 9) with 3 IPA servers, with certificate generated by letsencrypt >>> (https://github.com/freeipa/freeipa-letsencrypt). >>> After updating I noticed the web UI was using self signed CA, so I run >>> setup-le.sh. The certificates were correctly regenerated, and the >>> browser was happy. >>> But when I try to login it fails, and in httpd error log I find: >>> >>> [Thu Jul 25 18:20:53.773180 2024] [wsgi:error] [pid 15636:tid 15924] >>> [remote 10.10.10.10:38566] ipa: INFO: 401 Unauthorized: >>> HTTPSConnectionPool(host='dc1.example.com', port=443): Max retries >>> exceeded with url: /ipa/session/cookie (Caused by >>> SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] >>> certificate verify failed: unable to get local issuer certificate >>> (_ssl.c:1129)'))) >>> >>> Trying to rerun setup-le.sh now the "ipa-certupdate" part fails with >>> same error: >>> >>> cannot connect to 'any of the configured servers': >>> https://dc1.example.com/ipa/json, https://dc3.example.com/ipa/json, >>> https://dc2.example.com/ipa/json >>> >>> It seems some old certificate (ca or server) is still inside IPA. >>> >>> Other services (NFS, ssh to ipa clients, ...) seems to work. I hope it's >>> not only the sss cache! >> >> See https://github.com/freeipa/freeipa-letsencrypt/issues/50 >> >> rob >> > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
